Knowledgebase:

Ignition Client Blocked by Java Security Settings (Certificate Expired)

Posted by Dave Fogle, Last modified by Dave Fogle on 12/06/2018 03:01 PM

Ignition uses a technology called Java Webstart for launching clients from the Gateway. When a jar file used to launch a client is downloaded from the Gateway Java checks the certificate that was used to sign the jar file to see if it's valid or not, and if the certificate doesn't pass this check then depending on the version of Java running on the client a warning is either displayed or the client is also prevented from executing. As of February 15th, 2016 16:00:00 PST (November 29th, 2018 16:00:PST for additional versions listed now below) the certificate used to sign some older versions of Ignition will have expired and launching clients via webstart may not be possible without intervention. If you run across one of the following error/warning messages or any similar errors, then you are currently running a version of Ignition that was signed with the expired certificate. Sometimes these error messages will allow you to check a few boxes that let you bypass the warning and launch a client. Other times you will be unable to launch a client at all. 

Errors/Warnings

 

Affected Versions

(Expired on Feb. 15, 2016)

  • Ignition 7.5.13 and earlier (all preceeding branches as well)
  • Ignition 7.6.x (all versions in the 7.6 branch are affected)
  • Ignition 7.7.5 and earlier (within the 7.7 branch)
  • Ignition 7.8.0 (this is the only version affected in the 7.8 branch)

 (Expired on Nov. 29, 2018)

  • Ignition 7.7.6 - 7.7.9
  • Ignition 7.8.1 - 7.8.3

 

Workarounds and Fixes

For situations where the warning/error does not allow you to bypass it and launch a client, there are several options you have at your disposal to get around these errors when/if you encounter them. One option is applied on the gateway side, and the other solutions are applied to the client side. You only need to choose one of these workarounds, but if you choose one of the clientside options you'll have to apply that workaround to each client machine that you need to launch an Ignition client on. 

 

Gateway side

1) Upgrading Ignition to the newest stable version within your current branch or the newest version in the next closest LTS branch that's higher than what's currently installed. 

  • Upgrading is the best solution as it ensures that you're running a version of Ignition that's been signed by the newest certificate. 

 

Client Side

2) Use the Ignition Native Client Launcher (Preferred)

  • For users that are running a version of Ignition that has the Ignition Native Client Launcher, switching to this launching method will avoid the issue because the native client launcher does not use Java Webstart to launch an Ignition client. 

3) Edit Java security settings via the Java Control Panel.  Any or all of these settings may need to be changed depending on the case.

  • Add the URL of the gateway to the Exception Site List under the "Security" tab.

  • Turn off the "signed code certificate revocation checks" setting under the "Advanced" tab.

 

 

(39 vote(s))
Helpful
Not helpful